Threat Overview

A new infostealer called VIPKeyLogger has been observed with increased activity. It shares similarities with Snake Keylogger and is distributed through phishing campaigns. The malware is delivered as an archive or Microsoft 365 file attachment, which downloads and executes a .NET compiled file. HIPKeylogger utilizes steganography to hide obfuscated code within a bitmap image. It exfiltrates various data types including PC names, country names, clipboard data, screenshots, cookies, and browser history. The stolen information is sent via Telegram to Dynamic DuckDNS C2 servers. The attack chain involves multiple stages, from initial email lure to payload execution and data exfiltration.

Tactics, Techniques, and Procedures (TTPs)

• Phishing Campaigns: Distributed through archive or Microsoft 365 file attachments
• The malware is delivered as a .NET compiled file \n* HIPKeylogger uses steganography to hide obfuscated code within a bitmap image
• Exfiltrates various data types including PC names, country names, clipboard data, screenshots, cookies, and browser history.

The threat actor exfiltrates information via Dynamic DuckDNS C2 servers. The attack chain involves multiple stages from initial email lure to payload execution and data exfiltration.

Network Traffic Patterns

• Packets with an apparent legitimate or innocuous content are used as a decoy to bypass security controls
• Dynamic DNS is used for establishing hidden back connection between compromised systems, using external IP addresses that can be easily changed without being detected.
• TCP/IP packets may be encrypted, making it difficult to identify malicious activity for security monitoring purposes.

Attack Patterns

• The attack chain typically begins with a phishing campaign targeting specific industry sectors or geographic regions.

The use of real or fabricated credentials is part of the attack pattern used to create the illusion that they are valid employees using legitimate systems, allowing attackers to bypass security controls.

HIPKeylogger has also been deployed via Office documents as an attachment or embedded in malicious links. This method may not raise suspicions among users who regularly receive these types of attachments and links.

Malware Components

The use of Open-source code, making it easier for threat actors to adapt the tool to different attack situations

This allows them to rapidly respond the evolving nature of security controls. \\n HIPKeylogger contains malicious components designed to remain under suspicion for extended periods after deployment.

Exfiltration and Analysis

• Anonymized data are exfiltrated via Dynamic DuckDNS servers.

This allows attackers to obscure their IP addresses, further complicating detection efforts.

• The HIPKeylogger tool does not contain a mechanism for data obfuscation or encryption.

Recommendations

Based on the threat report, several recommendations can be made for improving cybersecurity posture:

• Monitor activity from known adversary groups, such as Secret Blizzard.

Improve security training and awareness programs to educate employees and organizations on the tactics of malicious actors.

Implement strict access controls around sensitive systems.

• Regularly update software packages to prevent exploitation by exploiting zero-day vulnerabilities
• Implement layered web and network security mechanisms.